Thursday, March 28, 2024

GravityRAT – A Powerful Remote Access Trojan Conducting an APT Cyber Attack in India, US and UK

A newly uncovered APT Malware called GravityRAT deployed by a hacking group to attack various sectors in India, US, and UK.

This GravityRAT remote access trojan has been under continuous development for the last 2 years by skilled cyber criminals and increased a lot of future to maintain the persistence.

It has been distributed with new futures beyond traditional remote code execution and anti-VM techniques.

GravityRAT has been already observed by National Computer Emergency Response Team (CERT) of India and warned about the seriousness of this attack which mainly targeting India.

National CERT reported to block the IOCs at the network perimeter/gateway level and also warned to check the logs for any communication from hosts.

Hackers Origin

The researchers believe that the attackers could be using a proxy or a VPN  in order to evade the identification of the origin where the attack controls this Malware.

According to Talos Researchers, specific cybercriminals used at least two different usernames in the past two years: “The Invincible” and “TheMartian.”

Apart from this based on the malicious document submission, more specifically the documents used to test anti-virus on VirusTotal, were submitted from Pakistan.

Based on the Command and control server request, a large amount of C2 server traffic requested from India and other Traffic comes from US and UK.

GravityRAT Infection Vector

Cyber criminals Mainly used the Word Document as an initial infection vector and embedded Macro used within the crafted document to execute the malicious code on victims computers.

Once infected users open the malicious document, it forces victims to enable macro code in order to execute the payload which packed as-as Zip file that contains a Malicious exe file.

Attacker tested their malicious document several in Virustotal to make sure the document shouldn’t be detected by any antivirus engine and if its detected they modifying the file structure in order to evade the detection.

Their multiple versions were uncovered by researchers that stealing different sensitive information and files from the vicitms computer such as,

  • MAC Address
  • Computer name
  • Username
  • IP address
  • Date
  • Steal files with the following extensions: .docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf and .pdf
  • The volumes mapped on the system

The latest version of the GravityRAT  collecting information on the system account (account type, description, domain name, full name, SID, and status)

Each new variant of this remote access trojan has different new future and the developer used the same C2 infrastructure for this time to established communication from victims.

Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles